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(57) Abstract 

A method and apparatus for an adaptor card (40), for use in a computer (50), to provide conditional access by the computer (50) to 
incoming data streams while maintaining the security of information by maintaining a listing of addresses corresponding to data streams 
which the computer (50) is authorized to receive, receiving and determining the address of a frame, determining whether the frame address 
matches an address maintained in an Access Table, and processing and transmitting only those frames of data streams with the computer 
(50) is authorized to receive. 
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AN ADAPTOR CARD PROVIDING CONDITIONAL ACCESS 



FTELD OF THE INVENTION 
The present invention relates generally to the field of communications, and more 
specifically to conditional access by computers to data streams transmitted via satellite. 

BACKGROUND OF THE INVENTION 
Satellite communication has long been used to broadcast data to computers. In 
situations requiring the same data to be transmitted to multiple sites, satellite 
communication, which allows a single transmission of data to be received at multiple 
sites, can be more cost effective than terrestrial communication, which requires separate 
transmission to each site. 

In the past, data broadcast via satellite to a computer typically was received by an 
external satellite receiver, which serially passed a single data stream to the computer 
through a serial adapter interface. An example of such a system is the Opportunistic Data 
File Broadcast system developed by Hughes Network Systems, which employs a 
Compression Labs Spectrum Saver satellite receiver to pass RS-422 serial data to high- 
speed adapters in computers at remote sites. This particular system has been used by 
financial institutions to broadcast financial data from central data centers to branch 
offices. 

For commercial data broadcasts, conditional access technology enabling only 
authorized users to access the broadcast data is essential to ensure payment for the data. 
Conditional access is typically implemented by encrypting the broadcast data and 
providing the decryption keys only to authorized receivers. In prior satellite data 
communication systems, such as the Opportunistic Data File Broadcast system, 
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conditional access functions have been performed by the external satellite receiver, which 
outputs a single decrypted data stream to the receiving computer. In these systems, 
conditional access is provided for only a single data stream. Thus, to access multiple data 
streams simultaneously transmitted would require users to have a complete set of 1 
5 receiving equipment for each data stream. 

Another type of satellite communication system has been suggested in which an 
adapter card, insertable into a computer, enables satellite reception without the need for 
the external satellite receiver. Examples of such systems are disclosed in U.S. Patent No. 
4,777,657 to Gillaspie, U.S. Patent No. 5,019,910 to Filmer, and U.S. Patent No. 

10 5,359,367 to Stockill. 

However, these references fail to teach a system incorporating conditional access 
technology, and similarly fail to provide for simultaneous receipt of multiple data streams 
where the data streams are individually conditional access controlled. Furthermore, to the 
extent that the prior art discloses use of decryption hardware, none of the prior art 

15 systems extends the use of the hardware beyond decrypting an incoming broadcast data 
stream to providing encryption and decryption operations for the connected computer. 

SUMMARY OF THE INVENTION 
The present invention addresses the shortcomings of prior art systems by teaching 

20 a secure satellite communication system for providing subscribers with conditional access 
to broadcast satellite data through their computers. This system maintains the security of 
information by providing access only to authorized users, and provides an additional 
benefit by enabling users to concurrently receive and decrypt multiple data streams. 

In a preferred embodiment, the present invention teaches a method for an adapter 

25 card, for use in a computer, to provide conditional access by the computer to input data, 
including data streams transmitted via satellite, wherein a data stream is comprised of at 
least one frame and each frame includes an address identifying the data stream. This 
method includes the steps of maintaining an Access Table, in which each table entry 
includes an address field for storing an address corresponding to a data stream which the 

30 computer is authorized to receive, receiving a frame and determining its address, and 
determining whether the frame address matches an address maintained in the Access 
Table in order to determine whether the computer has access to the data stream 
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corresponding to the frame. If a match is not found, the adapter card discards the frame, 
but if a match is found, the adapter card processes and transmits the frame to the 
computer through a bus interface. 

In a preferred embodiment, the adapter card additionally is capable of processing 
5 data transmitted from the computer. 

In addition to the method described above, the present invention is also directed to 
an adapter card for use in a computer, for providing conditional access by the computer 
to input data including frames of data streams transmitted via satellite, wherein each data 
stream is comprised of at least one frame and each frame includes an address identifying 
10 the data stream. The adapter card includes a receiver for receiving a data stream frame, 
an Access Table, in which each table entry includes an address field for storing an 
address corresponding to a data stream which the computer is authorized to receive, an 
integrated filter/crypto (IFC) block for determining an address of the received frame and 
determining whether the frame address matches an address maintained in the Access 
15 Table, and a bus interface for enabling communication between the adapter card and the 
computer. If the IFC finds that the frame address does not match a table address, the 
IFC block discards the frame, but if it finds a match, the IFC block processes the frame 
into output data, to be transmitted to the computer via the bus interface. The IFC 
preferably is also capable of processing data input from the computer into output data. 
20 The invention itself, together with further objects and attendant advantages, will 

best be understood by reference to the following detailed description taken in conjunction 
with the accompanying drawings. 

BRIEF DESCRIPTION OF THE DRAWINGS 
25 Figure 1 is an illustration of one form of satellite broadcast system in which the 

present invention may be implemented. 

Figure 2 is a block diagram of the preferred embodiment of the adapter card 
receiver of the present invention. 

30 DETAILED DESCRIPTION OF THE INVENTION 

i 

It is envisioned that the present invention will be used in conjunction with a 
satellite broadcast system such as that shown in Fig. 1. As illustrated, this system 
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includes a network operations center (NOC) 10, satellites 20, antenna receivers 30, 
adapter card receivers 40 (adapter cards), and computers 50. 

In this system, a subscriber, through an adapter card 40 inserted in a computer 50, 
receives information in data streams broadcast via satellite 20. The data streams are 
uplinked to one or more communications satellites 20 by the NOC 10 from a large 
antenna broadcast earth station. Each data stream is broadcast in units of frames, with 
each frame including an address header for identifying the data stream, a data field 
containing data, and a CRC tail for ensuring accurate transmission. Preferably, the 
frames are encrypted, and the key needed to decrypt the data of a frame is identified by 
its address header. Accordingly, data can be accessed only by receivers having the 
proper key. 

Each antenna receiver 30, comprising a smaller antenna and low-noise block 
(LNB) element, receives the broadcast frames and transmits the frames lo a connected 
adapter card 40 inserted in the subscriber's computer 50, Because the subscriber may 
15 have access to only a subset of the broadcast data streams, the adapter card 40 screens 

incoming frames, and processes only those frames the subscriber is authorized to receive 
by using the frame address field to retrieve the corresponding key for decrypting each 
frame. The adapter card 40 then transmits the decrypted frames through a bus interface 
to the computer 50. 

20 The present invention is directed to the adapter card 40, which provides the 

conditional access to incoming data streams, and preferably enables concurrent reception 
of multiple data streams. By processing oniy authorized frames and discarding all others, 
the present invention prevents unauthorized frames from ever being passed to the 
computer 50. This not only prevents subscribers from illicitly accessing the decrypted 

25 data stream, but also provides a physical measure of security by preventing the encrypted 
data stream from being made available to be downloaded into the computer 50. This is 
an important feature because security mechanisms have been evaded by downloading 
encrypted data, as once the encrypted data stream is stored in the computer memory, the 
user can access the data for as many attempts as needed for decryption. 

30 By evaluating and decrypting incoming data streams on a frame-by- frame basis, 

the present invention enables simultaneous reception of multiple conditional access 
controlled data streams statistically multiplexed in a received signal. Furthermore, 
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because the present invention further enables frames to be decrypted as they are received, 
the need for buffer RAMs required in prior systems to store incoming frames can be 
substantially reduced or eliminated, thereby lowering the cost of the systems. 

As explained in greater detail below, the preferred embodiment of the present 
invention increases the security of the conditional access provided to the transmitted data 
streams by providing a secure management system for the decryption keys. More 
specifically, the preferred embodiment provides a system having at least two levels of 
encryption, in which the decryption keys are themselves encrypted and never appear to 
users in decrypted or human-intelligible form. 

In the preferred embodiment, the adapter card 40 additionally provides the 
encrypting and decrypting capabilities of the adapter card 40 to be used by the computer 
50 as a general purpose bulk data encryptor/decryptor, even while the adapter card 40 is 
concurrently processing received frames. Not only does this feature reduce the overall 
cost to the user by eliminating the need for a separate data encryption/decryption engine 
to handle computer data, it also permits the advantageous conditional access features of 
the present invention to be provided to data received by the adapter card 40 from the 
computer 50 via a number of possible sources, rather than from the satellite 20 alone. 

Figures 2 illustrates the adapter card 40 of the preferred embodiment, which 
includes the following functional blocks: 

1. Front End Block 41, 42: connects the adapter card receiver 40 to the 
antenna receiver 30, for receiving a plurality of signals from the NOC 10 
.via the satellite 20 and transmitting data streams 41a from a particular 

signal selected by the tuner 41 to the Demodulator Block 43; 

2. Demodulator Block 43: converts data streams 41a received on the selected 
signal into digital form and transmits the demodulated data stream 43a to 
the FEC Decoder Block 44; 

3. FEC Decoder Block 44: identifies and corrects transmission errors in the 
demodulated data stream 43a and transmits the corrected data stream 44a to 
the Integrated Filter/Crypto Block 45; 

4. Integrated Filter/Crypto Block 45: identifies frames within the received 
data stream 44a and decrypts frames of the accessible data streams; and 
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5. Bus Interface Block 46: enables communication between the adapter card 
40 and the computer 50. 

!• Front End Block ' 

In the preferred embodiment, as illustrated in Figure 2, the Front End Block 
includes a tuner 41 , which can be set to receive an IF signal in 100 kHz steps in the 
frequency range of 950 to 1450 MHz, and downconvens the received signal to an IF 
output centered at 60 MHz. The operation of the tuner 41 can be controlled 41b by the 
computer 50 through the Bus Interface Block 46, or in a preferred embodiment, a local 
microprocessor may be provided on the adapter card 40 to monitor and control the tuner 
41. 

The Front End Block preferably also comprises a DC-DC converter 42, to provide 
all power required by the tuner 41 as well as the attached LNB by converting a +5V 
signal 42a received from the computer power supply to voltages required by the various 
components (e.g., 42b). 

2. Demodulator Block 

The Demodulator Block 43 receives and demodulates the downconverted signal 
41a from the Front End Block. In the preferred embodiment, the Demodulator Block 43 
is implemented in a CMOS ASIC, and, through control 43b by the computer 50 or an 
adapter card microprocessor, provides all baseband signal processing required for 
demodulation. 

3. FEC Decoder Block 

The FEC Decoder Block 44 uses redundant data in the demodulated digital data 
stream 43a to identify and correct transmission errors. In the preferred embodiment, 
FEC Decoder Block 44 consists of a Viterbi soft-decision decoder, depuncture logic 
which allows the rate 1/2 Viterbi to operate at an effective rate of 2/3, a deinterleaver 
which scatters the errors resulting from the incorrect attempts to correct data, and a Reed- 
Solomon decoder capable of correcting the scattered errors. 




4. Integrated Filter and Crvpto Facility Block 

The Integrated Filter and Crypto Facility (IFC) Block 45 plays a primary role in 
enabling the inventive conditional access features provided. 

The IFC 45 receives frames of the digital data streams 44a, which are preferably 
5 encrypted. In the preferred embodiment, the standard DES algorithm is used, although 
alternative encryption algorithms are possible as well. 

There are numerous methods by which users can acquire decryption keys, and the 
present invention can be adapted for use with any of these methods. For example, a 
subscriber can obtain a "smart card" from the service provider, typically a credit-card 
10 sized card readable by the computer. In some cases, the information provider can send 
information that passes into the smart card to generate the decryption keys. Another 
method is to obtain the keys through messages received from the satellite link or over a 
terrestrial communications system (e.g., via a modem connected to the computer). Still 
another method is for the subscriber to obtain the keys orally from the information 
15 provider and to manually enter the keys into the computer through the keyboard input. 

The security of the present invention can be maintained with any of these systems 
because it does not depend solely on the security of the actual transmission of the keys. 
Rather, the security system of the present invention has multiple levels of security. At a 
first level, to receive any satellite data stream, a user must subscribe to the service 
20 provider and must obtain the necessary wiring and equipment. At the next level, security 
is enhanced by means of "groups." Each group comprises a set of data streams, and a 
subscriber must have access to a particular group in order to receive any of its data 
streams. Finally, in the preferred embodiment, an additional level may be provided by 
requiring subscribers to have specific authorization to receive each individual data stream 
25 within a group. 

The present invention implements this tiered conditional access system through key 
management. Users become subscribers by subscribing to the service provider and 
obtaining an adapter card receiver 40, having an IFC 45, to be inserted into a computer 
50. In the preferred embodiment, the IFC 45 is physically secured by implementation in 
30 an ASIC, which is equipped with a burned-in Master Key used for identification 

purposes. In the preferred embodiment, a unique Master Key is used for each IFC 45. 
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Preferably, to enhance the secunty of the conditional access features provided th* 
Master Key is used for subscriber identification rather than decryption. Accordingly ' 
each adapter card 40 is also assigned a unique User Key which is encrypted with the' 
Master Key before being distributed to the subscriber, and is decrypted only within 'the 
IFC 45. Thus prevents the User Key from ever appearing in unencrypted form even to 
the subscriber. Use of the User Key rather than the Master Key allows the Master Key 
to be kept phystcally secure within the ASIC and minimizes its use. thereby minimizing 
us exposure. Consequently, the only method of compromising the security of the Master 
Key 1S by brealcing the algorithm used to encrypt the User Key or by compromising the 
physical security of the IFC 45. Furthermore, the security of the overafl system can be 
maintained through key distribution by simply changing a subscriber's User Key This 
avoids the need for physical replacement of the IFC 45 even if the security of the User 
Key is compromised. 

In the preferred embodiment having group access requirements, the function of the 
User Key is to decrypt Group Keys. A subscriber wanting to access any data stream 
within a particular group must have the Group Key for that group. A Group Key can be 
distributed to subscribers by any appropriate means with little risk to the security of the 
system because the entity providing distribution of Group Keys will encrypt a Group Key 
with the subscriber's unique User Key before transmission. Accordingly, the Group Key 
can be decrypted only by the IFC 45 of the subscriber for which it is intended, 
minimizing the likelihood that it will be distributed to and successfully used by an 
unauthorized user. Furthermore, even the authorized subscriber will never have access to 
the decrypted Group Key, because the Group Key i$ encrypted by the User Key until 
decrypted within the physically secure IFC ASIC, and as described above, the subscriber 
25 does not have access to the User Key. 

In the preferred embodiment, the only function of a Group Key is to decrypt Data 
Keys for the data streams within the group. As discussed, because a subscriber must be a 
member of a group to access any of the data streams within the group, only subscribers 
having the appropriate Group Key can decrypt the Data Key. Additionally, because each 
30 Data Key is encrypted with its Group Key before being distributed to subscribers, in 

order to access and decrypt a particular data stream within a group, the subscriber must 
have the appropriate Data Key for that data stream. 



20 
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The combination of the Group Keys and the Data Keys determine the subscriber's 
accessibility to the incoming data streams, and must be kept current. In the preferred 
embodiment, an Access Table is stored in adapter card memory outside of the IFC 45, 
with entries corresponding to data streams the subscriber is authorized to receive. Each 

5 entry accordingly has fields for an address of a data stream the subscriber is authorized to 
access, and a Group Key and a Data Key required to decrypt that data stream. Because 
this table is located outside the IFC 45, the Group and Data Keys are stored in encrypted 
form in the Access Table. A microprocessor is preferably provided on the adapter card 
40 outside the IFC 45 to perform the table functions and to indicate to the IFC 45 

10 whether a particular address matches a table entry, and also to indicate the appropriate 
key, if a match is found. 

In the preferred embodiment, other aspects of the key management system are 
implemented within the IFC ASIC. For example, logic is provided for maintaining and 
storing current keys, as well as for handling data in both encrypted and decrypted form. 

15 As earlier noted, the IFC 45 in a preferred embodiment provides decryption functions for 
incoming frames as well as encryption and decryption functions for bulk data from the 
computer 50. To provide these features, the ASIC logic includes at least the following 
subblocks: 

UK Register, for storing the User Key of the subscriber, which as 
20 described above, is decrypted by the Master Key as it is loaded into the 

IFC 45; 

.GK Register, for storing a single Group Key. Although a subscriber may 
have access to more than one group, as described above, the preferred 
embodiment provides an access table outside the IFC 45 for storing the 
25 Group Keys in encrypted form. When the IFC 45 receives an encrypted 

frame, it extracts the data stream address, and if the address matches one 
of the access table entries, the appropriate Group Key is decrypted by the 
User Key as it is loaded into the IFC 45; 

DK Register, for storing a Data Key to decrypt input data, whether satellite 
30 data or computer data; 
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an encryption/decryption engine, for performing the actual decryption of 
satellite data, or encryption or decryption of computer data from other 
sources; 

Input Registers, for storing input yet to be processed, preferably including 
at least one register specifically designated for satellite data and at least one 
register specifically designated for computer data; 

Opcode Registers, for indicating the location of the appropriate key for a 
particular operation and the location where the output should be stored, 
preferably including at least one register specifically designated for satellite 
data and at least one register specifically designated for computer data; and 
Output Registers, preferably including at least one register specifically 
designated for satellite data and at least one register specifically designated 
for computer data from other sources. 



In the preferred embodiment, the logic is implemented to provide functions for 
loading Group Keys, loading Data Keys, processing satellite data, and processing 
computer data. The Load Group Key function is used to provide the IFC 45 with the 
necessary Group Key for decryption, when the address of a received frame matches an 
address stored in the access table. Input to the Load Group Key function is a Group Key 
encrypted by the User Key. When the IFC 45 receives this instruction, it retrieves the 
User Key from the UK Register to decrypt the received Group Key, anc stores the 
decrypted Group Key in the GK Register. 

A Load Data Key instruction indicates to the IFC 45 that the input is a Data Key 
encrypted by a Group Key. In response, the IFC 45 will decrypt the input with the 
Group Key stored in the GK Register and store the resulting decrypted Data Key in the 
DK Register. 

When the IFC 45 receives a Process Satellite Data instruction, the input contains 
an incoming satellite data stream frame. The IFC 45 locates the address in the address 
header of the frame and determines whether it has the Data Key necessaury for decryption 
by searching the access table for the frame address. If a match is found, the IFC 45 will 
retrieve the appropriate Group and Data Keys, decrypt the frame and store the decrypted 
frame in an Output Buffer for satellite data; if not, the IFC 45 will discard the frame. 
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Process Computer Data instructions are handled similarly. As previously noted, in 
the preferred embodiment, the IFC encryption/decryption engine is capable of encrypting 
and decrypting data from other sources, transmitted by the computer 50. To enable 
operations to be simultaneously performed on both incoming satellite frames as well as 
5 incoming computer data, the IFC 45 time shares between frame reception and data 

encryption and decryption operations. To process computer data, the computer 50 must 
transmit the key to be used, an indication of whether the key is to be used for encryption 
or decryption, and the data on which the operation is to be performed. Based on this 
input, the IFC 45 will perform the appropriate operation on the data and return the 

10 processed data to the attached computer 50 via the Bus Interface Block 46. 

Thus, unlike systems described in prior an which simply transmit incoming data 
streams into the computer 50, the IFC 45 of the present invention allows the computer 50 
only conditional access to received data streams. In particular, only authorized signals 
are ever downloaded into the computer 50. The preferred embodiment provides enhanced 

15 security by ensuring that none of the keys required at any level of decryption ever appears 
outside the IFC ASIC in decrypted form, and by providing multiple layers of security. 
These layers not only make unauthorized access more difficult, but by implementing the 
layers in the key management system, they also enable a fast, simple method to recover 
from most security problems. More specifically, in response to problems due to an 

20 unauthorized user obtaining a User Key assigned to an authorized subscriber, a new User 
Key can be distributed to that subscriber. Similarly, in response to security problems 
caused by unauthorized access to particular data streams, the data stream and group keys 
required for decrypting those data streams can be changed, and the updated keys provided 
only to authorized users. 

25 Besides security, the IFC 45 provides data management benefits by efficiently 

using memory and computer processing time, which is especially useful in downloading 

large files. The present invention filters incoming data stream frames by determining 

whether the computer is authorized to receive the frame based on its address, accepting 

only authorized frames. This significantly reduces the adapter memory requirements, 

30 since individual frames are decrypted as they are received rather than requiring encrypted 
i 

frames to be buffered in their entirety awaiting decryption. This feature may eliminate 
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the need for buffering frames on the adapter ent.rely, eliminating the nced for buffe „ on 
the adapter card 40 and providing a significant cost reduction. 

Yet another advantage provided by the IPC 45 of the present invention is that by 
proving address-based frame decryption, the adapter card 40 can simultaneously dec' 
multiple data streams that are statistical^ multiplexed on the same broadcast signal 

One skilled in the art will recognize that variations for providing the requ.red 
capabilities of the IPC 45. For example, although the preferred embodiment is 
implemented with the mree level secunty scheme descnbed above, the present invention 
may be Imp lemented with only two ,ev e! s of security by providing only the User Keys 
and the Data Keys. In this case, the User Key serves the same purpose as i„ the thme- 
,level scheme, but the Data Keys wil, be provided to the adapter card 40 encrypted in the 
User Key rather than in a Group Key. Other levels of secunty may likewise be used 
without departing form the claimed invention. 

5 - Bus Interface Rlnrk 

The Bus Interface Block 46 enables communication 46a between the computer and 
the adapter card 40 for, among other things, controlling and monitoring the tuner 41 and 
the demodulator 43 and maintaining the key management system. Additionally, the Bus 
Interface Block 46 allows the attached computer 50 to obtain decrypted frames from the 
IPC Block 46, and to pass bulk data to the IPC 46 for encryption or decryption and 
receive the resulting processed data. After performing the required operation on 
incoming data, one implementation buffers the resulting data in memory provided on the 
adapter card 40, and interrupts the attached computer 50 for retrieval. Alternatively in a 
preferred embodiment, the Bus Interface Block 46 automatically reads the decrypted data 
into the memory of the attached computer 50. 

The present invention, as illustratively embodied in the preferred embodiment 
described above, provides an adapter card receiver 40, to be used in conjunction with a 
connected computer 50, for enabling users to conditionally access and quickly download 
multiple data streams, such as signals transmitted via satellite 20. The invention also 
maintains the security of privileged information by preventing the information to enter the 
computer of unauthorized users. 
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However, it should be understood that a wide range of changes and modifications 
can be made to the preferred embodiment described above. It is therefore intended that 
the foregoing detailed description be illustrative rather than limiting, and that it is the 
following claims, including all equivalents, which are intended to define the scope of this 
invention. 
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WHAT IS CLAIMED IS : 

1- A method for an adapter card, for use in a computer, to provide 
conditional access by the computer to input data streams, wherein a data stream is 1 
comprised of at least one frame and each frame includes an address identifying the data 
stream, comprising the steps of: 

maintaining an. Access Table, wherein each table entry includes an address field 
for storing an address corresponding to a data stream which the computer is authorized to 
receive; 

receiving a frame; 

determining the address from the frame; 

determining whether the frame address matches an address maintained in the 
Access Table; 

discarding the frame if a match is not found; and 

processing and transmitting the frame to the computer through a bus interface if a 
match is found. 



2. The method of claim 1, wherein the data streams are transmitted via 
satellite. 



3. The method of claim 1, wherein the adapter card receives a series of 
frames representing a plurality of multiplexed data streams, thereby providing conditional 
access to each of the multiple data streams. 

4. The method of claim l t wherein each table entry of the Access Table 
further includes a key field for storing a Data Key corresponding to a data stream which 
the computer is authorized to receive, and the method further comprises the steps of: 

retrieving the table entry corresponding to the matching frame and table address; 

and 

if a match is found, decrypting the frame with the Data Key in the retrieved table 

entry. 
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5. The method of claim 4, further comprising the steps of: 
providing a User Key; 

receiving at least one Data Key, encrypted with the User Key; 
storing each Data Key in encrypted form in the Access Table; and 
decrypting the Data Key in the retrieved table entry with the User Key, before 
processing a frame for which a frame match is found. 

6. The method of claim 4, wherein each table entry of the Access Table 
further includes a group field for storing a Group Key corresponding to a data stream 
which the computer is authorized to receive, and the method further comprises the steps 
of: 

providing a User Key; 

receiving at least one Group Key, encrypted with the User Key; 

receiving at least one Data Key, encrypted with the Group Key; 

storing each Group Key and Data Key in encrypted form in the Access Table; and 

decrypting the Group Key in the retrieved table entry with the User Key, and 
decrypting the Data Key in the retrieved table entry with the decrypted Group Key, 
before processing a frame for which a frame match is found. 

7. The method of claim 1, further comprising the step of storing the processed 
frame in an output buffer prior to transmission to the computer. 

8. The method of claim 1, further comprising the step of controlling, by the 
computer, the transmission of the processed frame to the computer. 

9. The method of claim 1, further comprising the step of controlling, by the 
adapter card, the transmission of the processed frame to the computer. 

10. A method for an adapter card for use in a computer, to process input data 
streams, wherein a data stream is comprised of at least one frame, for conditional access 
by the computer, and to process input data transmitted from the computer, comprising the 
steps of: 
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maintaining an Access Table, wherein each table entry includes an address field 
for storing an address corresponding to a data stream which the computer is authorized to 
receive; 

receiving input data; i 

determining whether the input data contains data stream frames or computer data, 
wherein 

if the input data contains data stream frames, for each frame: 
determining an address of the frame; 
determining whether the frame address matches aji address 
maintained in the Access Table; 

discarding the frame if a match is not found; and 
processing the frame into output data if a match Ls found; 
if the input data contains computer data, processing the computer data into output 
data; and 

transmitting the output data to the computer via a bus interface. 

11. The method of claim 10, wherein the data streams are transmitted via 
satellite. 



12. The method of claim 10, wherein input data stream frames comprise a 
series of frames representing a plurality of multiplexed data streams, thereby providing 
conditional access to each of the multiple data streams. 

13. The method of claim 10, wherein input data transmitted from the computer 
includes a data field, a key field, and an instruction field, and if the input data contains 
computer data, the step of processing the computer data into output data further comprises 
the steps of: 

determining the operation to be performed based on the instruction field; 
determining the key based on the key field; 
determining the data based on the data field; and 
performing the determined operation on the data with the key. 
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14. The method of claim 10, wherein each table entry of the Access Table 
further includes a key field for storing a Data Key corresponding to a data stream which 
the computer is authorized to receive, and the steps for processing data stream frames 
further comprise the steps of: 

retrieving the table entry corresponding to the matching frame and table address; 

and 

if a match is found, processing the frame by decrypting the frame with the Data 
Key in the retrieved table entry. 

15. The method of claim 14, wherein the steps for processing data stream 
frames further comprise the steps of: 

providing a User Key; 

receiving at least one Data Key, encrypted with the User Key; and 
decrypting the Data Key in the retrieved table entry with the User Key before 
processing a frame for which a frame match is found. 

16. The method of claim 14, wherein each table entry of the Access Table 
further includes a group field for storing a Group Key corresponding to a data stream 
which the computer is authorized to receive, and the steps for processing data stream 
frames further comprise the steps of: 

providing a User Key; 

receiving at least one Group Key, encrypted with the User Key; 

receiving at least one Data Key, encrypted with the Group Key; 

storing each Group Key and Data Key in encrypted form in the Access Table; and 

decrypting the Group Key in the retrieved table entry with the User Key, and 
decrypting the Data Key in the retrieved table entry with the decrypted Group Key, 
before processing a frame for which a frame match is found. 

17. The method of claim 10, further comprising the step of providing an output 
buffer on the adapter card for storing the output data prior to transmission to the 
computer. 
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18. The method of claim 10, further comprising the step of controlling, by the 
computer, the transmission of the output data to the computer. 

19. The method of claim 10, further comprising the step of controlling, by the 
adapter card, the transmission of the output data to the computer. 

20. An adapter card for use in a computer, for providing conditional access by 
the computer to input data including data streams, wherein each data stream is comprised 
of at least one frame and each frame includes an address identifying the data stream, 
comprising: 

a receiver for receiving a data stream frame; 

an Access Table, wherein each table entry includes an address field for storing an 
address corresponding to a data stream which the computer is authorized to receive; 

an integrated filter/crypto (IFC) block for determining an address of the received 
frame and determining whether the frame address matches an address maintained in the 
Access Table, wherein if a match is not found, the IFC block discards the frame, and if a 
match is found, the IFC block processes the frame into output data; and 

a bus interface for transmitting the output data to the computer. 

21. The adapter card of claim 20, wherein the input data comprises data 
streams transmitted via satellite. 

22. The adapter card of claim 20, wherein the input data further includes data 
from the computer transmitted from the computer through the bus interface to the IFC 
block, and the IFC block processes the computer data into output data. 

23. The adapter card of claim 22, wherein the input data from the computer 
includes data, information indicating a key, and an instruction indicating an operation to 
be performed on the data with the key, and the IFC block processes the computer data by 
performing the indicated operation with the indicated key on the data. 
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24. The adapter card of claim 20, wherein the IFC block is embodied in an 

ASIC. 



25. The adapter card of claim 20, wherein: 

each table entry of the Access Table further includes a key field for storing a Data 
Key corresponding to a data stream which the computer is authorized to receive; and 

the IFC block retrieves the table entry corresponding to the frame address from 
the Access Table, and, if a match is found, uses the Data Key of the retrieved table entry 
to process the frame into output data. 

26. The adapter card of claim 25, further comprising a User Key, stored on the 
adapter card, wherein the adapter card receives Data Keys encrypted with the User Key 
and stores each Data Key in the Access Table in encrypted form, and the IFC block 
decrypts the retrieved Data Key with the User Key and, if a match is found, uses the 
decrypted Data Key for processing the frame. 

27. The adapter card of claim 25, further comprising a User Key, stored on the 
adapter card, wherein: 

each table entry of the Access Table further includes a group field for storing a 
Group Key corresponding to a data stream which the computer is authorized to receive; 

the adapter card receives at least one Group Key encrypted with the User Key and 
receives at least one Data Key encrypted with the Group Key, wherein each Group Key 
and each Data Key is stored in the Access Table in encrypted form; and 

the IFC block decrypts the Group Key in the retrieved table entry with the User 
Key and decrypts the Data Key in the retrieved table entry with the decrypted Group Key, 
before processing a frame for which a frame match is found. 

28. The adapter card of claim 20, further comprising an output buffer for 
storing the output data prior to transmission to the computer. 

29. The adapter card of claim 20, wherein the computer controls the 
transmission of the output data to the computer via the bus interface. 
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30. The adapter card of claim 20, wherein the computer controls the 
transmission of the output data to the computer via the bus interface. 



- 20 - 



1/2 




WO 97/18651 PCT/US96/00580 



2/2 



AO 



Tuner 



Al- 



T 



44- £iA<X "\ 

^ Dcmoduiaxor I Decoder 



DODC 
Converts- 



^-4\V? 



From Computer Power Supply 



r 



4<3 



BUS Intrrfait 



FUrcr 
Crypto Facility 



FIGURE 2 



INTERNATIONAL SEARCH REPORT 



Internationa) application No. 
PCT/US96/00580 



A. CLASSIFICATION OF SUBJECT MATTER 
IPC(6) :H04L9/00 
US CL :380/25 

According to International Patent Classification (IPC) or to both national classification and IPC 



B. FIELDS SEARCHED 



Minimum documentation searched (classification system folJowed by classification symbols) 
U.S. 380/23, 25, 43; 340/825.31 



Documentation searched other than minimum documentation to the extent that such documents are included in the fields searched 



Electronic data base consulted during the international search (name of data base and, where practicable, search terms used) 



C. DOCUMENTS CONSIDERED TO BE RELEVANT 



Category* 



Citation of document, with indication, where appropriate, of the relevant passages 



Relevant to claim No. 



Y, E 



A,P 
Y 



US, A, 5,504,814 (MIYAKARA) 02 April 1996, see Figs. 1, 
5-8. 

US, A, 5,394,469 (NAGEL ET AL) 28 February 1995, see 
Fig. 1. 

US, A, 4,91 8,653 (JOHRI ET AL) 1 7 April 1 990, see Figs. 2 
and 4. 

US, A, 5,483,595 (OWEN) 09 January 1996, see Fig. 1. 

US, A, 5,420,866 (WASILEWSKI) 30 May 1995, see Fig. 
7B. 



| Further document* are listed in the continuation of Box C. | | See patent family annex. 



1-30 

1-30 

1-30 

1-30 
1-30 



•L' 



o- 

I 



Special categoric* of cited documents: 

d orirmrra defining general of (he art which m not considered 
to be of particular relevance 

earlier document published on or after the international filing dale 

docuneni which may throw doubts on priority ctaim(s) or which u 
cited lo establish the publication dace of another citation or other 
special reason (a* specified) 

document referring to ao oral disclosure, use. exhibition or other 

document publiahed prior to the international filing date but later (has 
the priority date claimed 



later document published after the international filing date or priority 
date and oot in conflict with the application but cited to understand the 
principle or theory undcrtymg the invention 

document of particular relevance*, the claimed invention cannot be 
considered novel or cannot be considered to involve an tnvenove step 
when the document is taken alone 

document of particular relevance; the claimed saventioo cannot be 
considered to involve an inventive step when the document is 
combined with one or more other auch documents, such combination 
being obvious to a pcraoo skilled in the art 

document member of the same patent family 



Date of the actual completion of the international search 



07 NOVEMBER 1996 



Name and mailing address of the ISA/US 
Commissioner of PalenU and Trademarks 
Box PCT 

W.ihingion. D.C. 20231 
Facsimile No. (703) 305-3230 



Date of mailing of the international search report 

0 6 MA R 1997 



Authorized officer 
A SALVATORE CANGIALOSI 



Telephone No. (703) 305-1 837 



Form PCT7ISA/210 (second shcet)(Juty 1992)* 




FIGURE 1 



WO 57/1565 J 



PCmJS?WUG58D 



2/2 



AO 



L 



TiiJiei 



T 



Ala 



44- 



^46 



BUS IntTrfir--:. 



4 



FIGURE 2 



